Tofinosecurity.com uses cookies for analytics and functionality purposes.
To change your cookie settings or find out more, click here.
If you continue browsing our website or close this banner, you accept these cookies.

Then last night, I learned that security researcher Rubén Santamarta had notified US ICS-CERT of a vulnerability in BroadWin WebAccess, a web browser-based HMI product (also sold as Advantech). According to the notice, ICS-CERT forwarded the vulnerability information to BroadWin. Unfortunately, BroadWin was not able to validate the vulnerability.

Joel Langill and my team are working hard to analyze and test these vulnerabilities as fast as we can. We hope to have some mitigation white papers out in the next day or so. Check here for the status of the papers or sign up for automatic notification at http://www.tofinosecurity.com/user/register.

Concerns About the Release of the Vulnerabilities

Now while you are waiting for the white papers, I will comment on a number of things about this particular release of vulnerabilities that bother me.

First, these companies are not insignificant players in the SCADA/ICS market. If my memory serves me well, Iconics has a very large number of installations in the oil, gas and water industries, while RealFlex is a significant player in the water/waste water sectors. FactoryLink (formerly an independent called US Data) is a Siemens acquisition and on the way out, but has some 80,000 installations around the world (at least according to the Siemens brochure). Indusoft claims 125,000 Human Machine Interface and Supervisory Control and Data Acquisition systems (SCADA) operating worldwide. And Control Microsystems, now owned by Schneider Electric, is no minor player either. By my calculations, it adds up to something close to a million installed systems, a sign the HMI industry as a whole has some serious security issues.

Second, nearly all of these vulnerabilities come with proof of concept (POC) code. I am willing to bet that at least a half dozen workable exploits will be in public frameworks like Metasploit within two weeks (FYI, if you are willing to pay for them, all of the GLEG vulnerabilities are available for the Immunity Canvas exploit framework right now).

Vendors are not Responding

To make matters worse, these vendors seem to be acting like ostriches with their heads' firmly in the sand. It has been over 48 hours since these vulnerabilities were announced and only one vendor (RealFlex) has ANY acknowledgement of the issues or guidance for customers posted on their website. The rest are letting their customers spin in the wind. Didn’t they learn anything from seeing all the grief a slow response to Stuxnet caused Siemens?

*** March 24 th Update: Iconics posted a notice last night on their site. They have also informed me that they will announce the patch on their home page as soon as it is available. Still waiting for the others. ***

To add insult to injury, RealFlex, 7-Technologies IGSS, Iconics, Control Microsystems, Indusoft and Advantech previously have all had security vulnerabilities. Surely they should have set up a rapid response security plan by now?

Now to the US ICS-CERT's credit, they have learned from the past. They had basic awareness documents out Monday night (see links above). Nice work.

Again, we are working to develop mitigations for these products as fast as we can. Watch here for updates. In the meantime, if you have any of the above SCADA/ICS products, contact your vendor and ask for guidance. And if you get any, please let us know. The ICS community needs to work together to secure our critical systems.

Fortunately all the vendors involved in this disclosure have acknowledged these issues and most (but not all) have created patches. For those users that can not use those patches, we created several white papers to help mitigate these specific vulnerabilities - they are available at https://www.tofinosecurity.com/articles/professional/white-papers .

The bad news is that ICS vendors have only patched half of the vulnerabilities that were listed by ICS-CERT in 2011. Even worse, ICS-CERT stated 60% of the ICS patches did not fix the problem! So as an industry, we have a long way to go.